To perform meaningful, efficient reviews and audits which produce pertinent recommendations, promulgated auditing procedures must be observed. The scope and performance of routine audits will, to the extent practicable, be in conformity with the Summary of General and Specific Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors, Inc. and with the Standards for Audit of Governmental Organizations, Programs, Activities, and Functions issued by the Comptroller General of the United States. Conformity with these standards necessitates that the Office be involved in:
• planning audits
• reviewing controls
• verifying compliance with established policies, plans, and procedures
• verifying existence of assets
• testing transactions for validity
• observing the proper, economic, and efficient use of resources
• deterrence, detection, investigation and reporting of fraud
• documenting audit work
• communicating audit results
• following up on recommendations
• management advisory
The Office of Internal Auditing (OIA) works with management in a partnership/service function in evaluating the efficiency and effectiveness of University operations. The Office is responsible for audit coverage for the entire University. The size of the audit staff limits the number of audits that can be performed each year. When scheduling conflicts arise, the Chancellor will be consulted to determine priorities.
The major activities of this Office are reviewing internal controls and performing audits.
Review of Internal Controls
Standards for the Professional Practice of Internal Auditing 410.01.5. require the internal auditor to obtain an understanding of the audited departments internal control structure as a basis for planning the audit. The internal control structure includes the department's control environment, accounting system, and specific control procedures. A sufficient understanding of the internal control structure is required to plan the audit and to determine the nature, timing and extent of tests to be performed.
Planning and Scheduling
• Planning - The objectives for the Office of Internal Auditing are best obtained by planned action. The Office will maintain an annual audit plan, approved by the Chancellor and the Board of Trustees Audit Committee Chairperson, covering each fiscal year.
• Scheduling - The OIA will send out letters informing departments of the intent to perform an audit during the applicable period. The internal auditor will notify an area scheduled for an audit at least two (2) weeks before the scheduled beginning date. Approximately one week before the beginning date, the internal auditor will schedule an entrance interview with the manager and other auditee personnel the manager considers appropriate.
The entrance interview marks the beginning date for field work. The Internal Auditor will discuss the objectives and scope of the audit, estimated time for completion of the audit, on-site workspace requirements, procedures for communicating audit findings, and audit report procedures. The auditee will be requested to identify problem areas which the Internal Auditor may be able to offer assistance. Results of the entrance interview will be documented and placed in the planning file of the working papers for the particular audit.
Survey of Internal Controls
A review (study and evaluation) of internal control involves performing, as appropriate, a survey to become familiar with the activities, risks, and controls to identify areas for audit emphasis and to invite auditee comments and suggestions.
1. Review the system
Document the system by utilizing the following procedures:
• Discussions with the auditee.
• Interviews with individuals affected by the activity, e.g., users of the activity's output.
• On-site observations.
• Review of departmental procedures manuals; and management reports and studies.
• Analytical auditing procedures.
• Flowcharting, narratives, and/or questionnaires.
• Functional "walk-through" (tests of specific work activities from beginning to end).
• Documenting key control activities.
2. Evaluate the adequacy of Internal Controls
The survey results should be summarized and used to identify:
• Potential critical control points, control deficiencies, and/or excess controls.
• Significant audit issues and reasons for pursuing in more depth.
• Audit objectives, audit procedures, and special approaches such as computer assisted audit techniques (CAAT).
• The types of errors and irregularities that could occur.
• Whether the necessary procedures are prescribed and are being followed satisfactorily.
Once the internal control survey is initially completed, the file should be updated for each subsequent audit.
The Office of Internal Auditing performs two types of audits - scheduled and special. The annual audit plan reflects the activities to be audited each fiscal year. Procedures set forth herein are intended to be guidelines under which this Office will operate. Audits should be adequately planned. Audit procedures developed during the preliminary planning stage should be modified as appropriate during the course of the audit.
Audits of Major Financial Areas
Planning and Scheduling
Internal Control Survey
In addition to the following audit components, the above procedural processes, as previously noted, are performed when conducting scheduled and special audits.
Working papers are created to fit particular audit tasks and are subject to a great deal of flexibility. The working papers are a bridge between the actual audit work and the report issued. They are formally retained for subsequent reference and substantiation of reported conclusions and recommendations. The term "working papers" is used to describe the various schedules, analyses, forms, documents (manuals, audit programs), and memoranda that are prepared or obtained by the internal auditor during the course of an audit. This includes documents obtained from outside sources. Audit working papers are official University documents - a record of work done.
The heading of each page of the working papers should be prepared in a uniform manner.
The heading should include the following:
1. Name of the University
2. Activity under audit
3. Identification of contents
4. Time period covered
5. Initials of Auditor performing work
6. Date worked performed
7. Initials of Auditor approving work
8. Date approved
9. Page number
10. Index or reference number.
Formal Audit Program
The audit program states the objectives of the audit; sets forth the scope and degree of testing required to achieve the audit objectives in each phase of the audit; and documents the procedures for collecting, analyzing, interpreting and documenting information during the audit. Procedures may be modified as additional information is acquired during the course of an audit. All audit programs developed for use in the OIA require the approval of the Audit Director.
Communication of Findings
Exceptions noted during the audit are communicated orally as found and graphically with a recommendation for each finding after completion of applicable audit section. (All findings require approval of the Audit Director.) The audited department is requested to return communications with departmental responses to the OIA in two weeks. Auditee responses are included with findings and recommendations in the final audit report (except in the case of fraud and some special request audits).
Internal auditors should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports (Standards for the Practice of Internal Auditing 430.02). A draft of the audit report is reviewed at the exit conference. The exit conference allows the auditee the opportunity to discuss, challenge, and seek clarification of any finding, recommendation or report content. After the exit conference, a second report draft (if necessary) is reviewed in a meeting with senior management to discuss the implications of the audit and other concerns that may arise.
Senior officers expect and are entitled to an independent opinion. A signed written report will be issued after audit completion and should be objective, clear, concise, constructive and timely. The final report includes a statement evaluating auditee responses. The evaluation statement will indicate whether the responses have or have not satisfied the requirements of the stated recommendations.
The OIA will conduct follow-up reviews of audited departments with a high volume of audit findings and/or material internal control weaknesses. If the review reveals that the department has not taken appropriate action, or adequately adjusted its practices to resolve audit problems, the Audit Director will notify appropriate University management.
Special audits are usually performed at management's request. However, when auditing a particular area, questions or problems in other areas may be discovered, and these become areas for future audits.
Special audits may be financial and/or operational in nature. The audit approach and procedures for financial audits are the same as for "
Audits of Major Financial Areas." The major objective of operational audits is an appraisal of the operations toward accomplishing management's objectives. The objectives must be clearly defined, well documented, and properly disseminated.The following steps are typical of an operational audit:
1. Request from management (or need observed by the Auditor) for the audit of an operational area.
2. Advance preparation - The auditor should study job descriptions and procedures manuals, read trade journals, and discuss technical matters with the designated staff person in the area under review. Top management should notify the director of the forthcoming audit, who in turn should notify personnel in the area and designate a liaison or resource person.
3. Initial survey - The auditor should know the organizational structure of the area, the assignment of duties, the flow of work, and the nature and timing of reports. During this phase of the audit, the Auditor should also become familiar with management's general objectives for the operation, knowledgeable of the manner in which the personnel attempt to accomplish these objectives, what procedures are followed, what controls are in effect, and what problems are encountered. At this point, the Auditor may take a small sample of supporting evidence to substantiate what is reported. All work and findings should be documented in the working papers.
4. Audit program - After becoming thoroughly familiar with the operation, the Auditor can determine the steps of the audit program. Knowledge of the operation increases throughout the conduct of the examination, therefore, the audit program is always subject to modification. Consulting with the director of the area under review on steps to be included in the audit program ensures the inclusion of areas viewed as problems and encourages an attitude of cooperation.
5. Investigation and analysis - Following the audit program, the Auditor:
a. examines sufficient evidence to reach a conclusion about how closely the assignment of responsibilities and the conduct of operations follow the procedures and controls established to reach management's objectives;
b. reviews staffing assignments to determine that jobs are filled with persons having proper training;
c. reviews equipment, materials, and forms used in operations to determine that they are the most appropriate and are being used as intended;
d. determines whether operating records are accurate and reports are factual, complete, and issued in a timely and meaningful manner;
e. determines whether internal controls are enforced and are coordinated properly with controls in other operational areas.
6. Evaluation and recommendation - During the examination, the Auditor should discuss informally the findings and possible recommendations with appropriate personnel. Comments and reactions from these persons are important considerations in arriving at final recommendations.Evaluation of findings is done simultaneously as the Auditor goes through the investigation and analysis of procedures phase. At the conclusion of the investigation and analysis phase, the Auditor takes a comprehensive view of the facts, and is in a position to evaluate the operational area in terms of the extent to which it follows proper procedures and the reasons for any deviations. Minor discrepancies should be brought to the attention of a supervisor at the lowest possible level who is in a position to authorize correction. These items and the corrective action should be noted in the working papers.
7. Audit Report - A signed written report will be issued after audit completion and should be objective, clear, concise, constructive and timely. The final report includes a statement evaluating auditee responses. The evaluation statement will indicate whether the responses have or have not satisfied the requirements of the stated recommendations.
Surprise Cash Counts
Cash is a high risk asset that is relatively difficult to control. The surprise cash count is a method employed to help control cash. The principal ingredient is the element of surprise. Surprise cash counts of all cash on hand in the cashier's office should be performed biannually. Selected outlying receipting centers will be surprised counted during the fiscal year. Receipting centers with known problem areas and/or a high volume of cash activity will be visited more frequently.
The primary audit procedures employed for cash counts are:
1. Counting by the auditor - The auditor should insist on being observed by an employee of the auditee continuously while the cash count is underway. The auditee may perform the actual count while the auditor observes and records the necessary information.
2. Inspection of items - checks, money orders for regularity and apparent validity.
3. Subsequent agreement of count totals to the accounting records.
The auditor's evaluation of the auditee's internal accounting control over cash should heavily influence the extent and intensity of the auditing procedures employed.
ASSESSMENT OF OPERATIONS
Internal Auditing activities will be conducted in compliance with University objectives and policies; Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors, Inc.; Standards for Audit of Governmental Organizations, Programs, Activities, and Functions issued by the Comptroller General of the United States; and standards, ethics, accounting requirements, and studies of professional internal auditing and public accounting groups including the American Institute of Certified Public Accountants and the Institute of Internal Auditors, Inc.
Standards for the Professional Practice of Internal Auditing 1300 states that "The director of internal auditing should establish and maintain a quality assurance program to evaluate the operations of the internal auditing department." The audit director assures that an external peer assistance/review is performed periodically to provide the university with an independent assessment of the effectiveness of the internal audit function. The scope of such reviews include the five general audit standards of Independence, Professional Proficiency, Scope of Work, Performance of Audit Work, and Management of the Internal Auditing Department.